Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Site(s) hacked... need to upgrade, but to which version?


paulb104

Recommended Posts

Back in 2009 I was teaching myself html and oscommerce. I built two sites for my wife's businesses. The sites weren't very polished but they DID work. At some point I upgraded them to oscommerce-2.2rc2a (or at least I think I did). Then, as things happen, I haven't been able to work on the sites since (other than to do simple things, like change product quantities). This is mostly due to my disabilities and the birth of my daughter.

 

Yesterday I got an automated email from Google saying my site was hacked.

 

Here is that email:

Auto-Submitted: auto-generated

Date: Sat, 23 Jul 2011 18:15:09 +0000

Subject: Malware notification regarding unusualgoods.us

 

Dear site owner or webmaster of unusualgoods.us,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

 

Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):

 

.us/sxx-car-clp-art

.us/sxx-equine-art/

.us/sxx-laundry-art/

 

Here is a link to a sample warning page:

 

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

 

1) the site was compromised

2) the site doesn't monitor for malicious user-contributed content

3) the site displays content from an ad network that has a malicious advertiser

 

 

If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:

 

Once you've secured your site, you can request that the warning be removed by visiting

and requesting a review. If your site is no longer harmful to users, we will remove the warning.

 

Sincerely,

Google Search Quality Team

 

Note: if you have an account in Google's Webmaster Tools, you can verify the authenticity of this message by logging into
and going to the Message Center, where a warning will appear shortly.

 

 

 

Since my knowledge of these things was fleeting at best, the first thing I did was contact my hosting company.

 

 

 

 

 

Their response was this:

 

Your account was hacked through the outdated osCommerce software you have installed under your account in the 'jewelry' subdomain. It contains multiple security vulnerabilities of critical severity.

 

The hackers inserted the following code in your /home/unusualg/www/beadshop/.htaccess file:

 

 

 

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteRule sxx-(.*)$ FCKeditor/editor/filemanager/browser/default/images/icons/32/style.css.php [L]

</IfModule>

 

 

 

Here is an excerpt from the raw server access logs:

 

204.12.242.11 - - [27/Jun/2011:15:15:41 -0400] "GET /create_account.php%22%20onmousedown=%22ct(this,%20'http%3A%2F%2Fjewelry.unusualgoods.us%2Fcreate_account.php','6','8','%22create_account.php%22+site%3Aus','',%20'00c1ee0d2a88bd1c88c9551de47156ce9d499ec10335e36c92e9',%200)/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 794 "-" "Avant Browser (
)"

 

 

 

To secure your account, and to avoid similar incidents in future, you will have to upgrade OsCommerce and any third party software you are using on your account to the latest versions. Also, you should remove the malicious code from your /www/beadshop/.htaccess file and delete the /www/beadshop/FCKeditor directory.

 

 

I deleted the code and the directory as advised and now I need to update. I do not know if I should go to 2.3.1 or 3.01. I've searched the forums here but the search engine doesn't like the numbers in the search term so I cannot get the appropriate threads to read and learn.

 

The page http://www.oscommerce.com/solutions has both versions but I don't see a version comparison. The 2.3.1 page has a link for a 2.3 upgrade, but not 2.2.

 

Any suggestions, ideas, or simply anything useful would be of great help!!!!

 

Thanks :)

 

Paul

Link to comment
Share on other sites

If you're going to upgrade 2.3.1 is the only 'ready' option.

 

The hack could have been avoided if you had applied the security updates for 2.2 rc2 here.

 

It appears the file_manager.php and the known location of the admin was used to hack you. This could have been avoided by moving your admin, and deleting your file_manger.php files. As outlined in the article above. I strongly suggest the following at very least. After checking all pages for infections or restoring to a backup prior to the hack.

 

1. Delete file_manager.php and define_language.php

2. Move Admin to a new location

3. Add FWR Security Pro

4. Add .httaccess and .htpaswd to your new admin directory

Link to comment
Share on other sites

Although many suggest upgrading as a good way to stop hackers, I firmly believe that if you are going to change versions, then you should just create a NEW website using v2.3.1 and delete the OLD website completely.

 

I have had to clean several 2.3.1 sites after the client has upgraded it themselves from previous versions because the client failed to remove the anomalous files from the server prior to updating. I suggest that if you are not experienced, that you hire someone who is.

 

 

 

 

Chris

Link to comment
Share on other sites

As I mentioned before, I worked on the site in 2009 and I barely was able to get the site up.

 

For instance,

1. Delete file_manager.php and define_language.php

2. Move Admin to a new location

 

I have no idea how to do these things. None at all.

Link to comment
Share on other sites

Here are the upgrade guides.

Firstly upgrade 2.2 to 2.3 then 2.3 to 2.3.1

 

http://www.oscommerc.../Upgrade+Guides

 

Those "upgrade guides" are almost complete gibberish to me. I've seen the upgrade guide at another site as a pdf file. A one hundred and twenty five page pdf file. Maybe it's because I'm used to Windows, but upgrade guides usually start with Step 1, then Step 2, and so on....

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...